OTP Login, 2FA & Account Security
OTP Login, 2FA & Account Security add-on for CS-Cart
Five phone-based sign-in and account-security features in one add-on — enable only what your store needs
OTP Login, 2FA & Account Security gives your CS-Cart store a complete set of phone-based authentication tools. Customers can sign in with a one-time code sent to their phone instead of a password, log in with a “magic link” emailed to them, or add a one-time code as a second factor on top of their password. You can require new shoppers to verify a real phone number at registration or checkout, and let anyone reset a forgotten password by phone instead of email. Each of the five features has its own on/off switch, so you turn on only what fits your store.
Codes are 4–8 digits (default 6), randomly generated, single-use, and valid for only a few minutes. Three layers of rate limiting — per phone, per visitor, and a store-wide daily cap — keep a runaway flow from draining your SMS budget, while a CAPTCHA challenge and burned codes shut down brute-force guessing. The add-on ships with eight SMS providers out of the box — Twilio, AWS SNS, Vonage, Infobip, MSG91, Gupshup, Unifonic, and a generic Webhook — with optional WhatsApp delivery through Vonage and Infobip. Pick a provider, paste the credentials, send a test code, and you’re live.
Key Features
- Five Features, One Add-on — OTP login, magic link, 2FA, phone verification at registration/checkout, and password reset by phone, each toggled independently
- Eight SMS Providers — Twilio, AWS SNS, Vonage, Infobip, MSG91, Gupshup, Unifonic, and a generic Webhook for any custom integration
- WhatsApp Delivery — send codes over WhatsApp through Vonage and Infobip in addition to SMS
- Strong One-Time Codes — random, single-use, time-limited, and never stored as plain text, checked with a constant-time comparison
- Three Layers of Rate Limiting — per-phone, per-visitor, and a store-wide daily SMS cap so a flood of requests can’t run up your bill
- Brute-Force Protection — a CAPTCHA challenge kicks in after repeated failed attempts and codes are burned after too many wrong guesses
- Trust This Device — returning customers can skip 2FA on a recognized browser for up to 60 days, with a window you choose
- Account Takeover Protection — a phone verified to one account can’t be silently transferred during registration or a phone change, and the verified profile phone field is read-only on both browser and server
- Native CS-Cart Look — success and error banners match CS-Cart’s standard style and phone inputs reuse the registration-page country-flag picker
- Full Audit Log — every code send, failed verify, magic-link click, phone change, and provider error is recorded, with a recent-events panel on the admin user page
- Send Test OTP Tool — confirm your provider is reaching real phones from the settings screen without burning your customer SMS budget
How It Works
- A customer chooses a phone-based option — the “Login with phone” or “Magic link” tab on the sign-in page, or a phone-based password reset
- The add-on validates the phone number, checks the send limits, generates a code, and asks your chosen SMS provider to deliver it (or emails a single-use link for magic-link sign-in)
- The customer enters the code on the verify screen; the add-on checks it, marks it as used so it can’t be replayed, and signs them in with a fresh session
- For two-factor sign-in, CS-Cart confirms the password first, then the add-on sends a code to the verified phone before letting the customer through — unless “Trust this device” is set for that browser
- At registration or checkout, the account or order proceeds normally and the customer verifies the entered phone with a code; if the provider is down or the daily cap is reached, they continue with a warning notice instead of being stuck
- To change a verified number, the customer uses the dedicated “Change phone number” flow, proving the new phone with a fresh code before the change is saved
- A daily cron job cleans up expired codes and old verification records automatically
Requirements
- CS-Cart Store Builder or Multi-Vendor (single or multiple storefronts) 4.6.3 or higher
- PHP 7.4 or higher (PHP 8.0+ recommended)
- An account with a supported SMS provider (Twilio, AWS SNS, Vonage, Infobip, MSG91, Gupshup, Unifonic) or a webhook endpoint that accepts the add-on’s POST requests
- Outbound HTTPS access from your server to your provider’s API endpoint
- A daily cron entry for cleanup (or a periodic click on the “Cleanup” button)
Installation
- Go to Add-ons > Manage add-ons, click Manual installation, and upload the addon zip file
- Activate the addon and enter the license key
- Click the addon name to open its settings, pick your SMS provider, paste the credentials, and choose which of the five features to enable
- Use the Send Test OTP tool in settings to confirm the provider is reaching real phones before turning on customer-facing features
- Add a daily cron entry to call the cleanup endpoint (see the Cron row in Configuration Options)
Configuration Options
Settings are root-administrator only and are grouped into sections. Open them by clicking the addon name (or its gear icon) under Manage add-ons.
| Setting | Description |
|---|---|
| Features | Six independent toggles: Enable OTP login, Enable magic link, Enable two-factor authentication, Enable OTP at registration, Enable OTP at checkout, and Enable password reset via OTP. All start off — turn on only what your store needs. |
| SMS Provider | Choose one of Twilio, AWS SNS, Vonage, Infobip, MSG91, Gupshup, Unifonic, or Webhook. Each provider exposes its own credential fields (only the selected provider’s fields are used); Vonage and Infobip add WhatsApp delivery options, and Webhook takes a URL, optional headers, an optional auth secret, and a JSON body template. |
| OTP Length | 4, 5, 6 (default), 7, or 8 digits. |
| OTP Type | Digits only (default) or alphanumeric. |
| OTP Expiry (minutes) | Default 5. After this many minutes the code is invalid and a new one must be requested. |
| Max Attempts per OTP | Default 5. After this many wrong entries the code is burned. |
| Resend Cooldown (seconds) | Default 60. How long a customer must wait between code requests for the same phone. |
| Default Country Code | For example +1. Used when a phone number is entered without a country code. |
| Phone Format Validation | How strict the phone-input check is. |
| Require Phone at Registration / Checkout | Force a phone field on the registration form or on guest checkout (separate from OTP verification). |
| Trusted Devices | Enable “Trust this device” after a successful 2FA and set the Trust Duration (7, 14, 30, or 60 days). |
| Rate Limits | Rate Limit per Phone (default 5/hour), Rate Limit per IP (default 10/hour), and a Daily SMS Cap per store (default 500). |
| Test Mode | When on, the addon accepts a fixed code (Test Mode Code, default 123456) instead of sending an SMS. For development servers only; an admin banner reminds you it’s on. |
| Templates | SMS Template and WhatsApp Template message text; the placeholder {{code}} is replaced with the one-time code. |
| Admin Tools | Send Test OTP delivers a code to a phone you specify (root admin only, capped at 5 sends per 24 hours per admin). |
| Cron | Add a daily cron entry to run the cleanup, with an optional cron secret so an unattended scheduler can run without an admin session. |
Support
For questions, issues, or feature requests, contact us at www.cartmodules.com.
- 4.10.1
- 4.10.2
- 4.10.3
- 4.10.4
- 4.10.4.SP1
- 4.11.1
- 4.11.2
- 4.11.3
- 4.11.4
- 4.11.5
- 4.12.1
- 4.12.2
- 4.13.1
- 4.13.2
- 4.13.2.SP1
- 4.13.2.SP2
- 4.13.3
- 4.14.1
- 4.14.1.SP1
- 4.14.2
- 4.14.2.SP1
- 4.14.3
- 4.14.3.SP1
- 4.15.1
- 4.15.1.SP1
- 4.15.1.SP2
- 4.15.1.SP3
- 4.15.1.SP4
- 4.15.2
- 4.16.1
- 4.16.2
- 4.17.1
- 4.17.2
- 4.17.2.SP1
- 4.6.3
- 4.7.1
- 4.7.2
- 4.7.3
- 4.7.4
- 4.8.1
- 4.8.2
- 4.9.1
- 4.9.2
- 4.9.3
- English
- Multi-Vendor
- Multi-Vendor Plus
- Multi-Vendor Ultimate
- Store Builder
- Store Builder Plus
- Store Builder Ultimate
Addons features
- Backend
- For customer
- For owner
- For vendor
Shared features
No reviews found








